Security Basics mailing list archives
Re: ARP Spoof Question
From: <jfastabe () up edu>
Date: Wed, 23 Jul 2003 14:12:36 -0700 (PDT)
Vineet, I would assume that it would be the last ARP response that the system receives that ends up in the arp table, because i believe that it will setup an entry for each response and since the last one will overwrite the first one the second will be there. But ARP spoofing tools dont bother to wait for the computer to send a request and then try enter a race condition with the other node. They just send a reply to the system and most systems will just put it in their arp table regardless if they have sent a request or not. Also sending a spoofed arp request will work on a lot of operating systems because they create an entry in the arp table based on it to cut down on traffic. Do a quick search at sourceforge.net for arpoison if you want to look at a simply arp spoofing tool. hopes this helps john fastabend On 23 Jul 2003, Vineet Mehta wrote:
Hi all members, I have a small question. I was reading about ARP Spoofing and here is my question. When Node A wants to send some packets to Node C, it sends a ARP Broadcast to find out the MAC address of Node C. This broadcast reaches all nodes in a network in a switched or Hub network. So when Node B is a attacker he catches the ARP Request and sends his MAC address in reply to Node A. This way Node B gets the packets destined for Node C. Q1.My Question is, Node C will also reply to that request of Node A. SO now Node A has 2 different MAC for the same IP. How is Node A handling this situation??? Q2.The switch also updates its table of IP/MAC address bindings, so how is switch handling this situation??? Is it "first-come-first-serve" methodology which Node A/Switch takes??? Thanks in advance Regards, -- Vineet Mehta Network Security Consultant Kuwait Linux Company Kuwait Ph-2412552/2463633 <vineet [at] linux [dot] com [dot] kw> www.linux.com.kw
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: ARP Spoof Question David J. Bianco (Jul 23)
- <Possible follow-ups>
- RE: ARP Spoof Question David Gillett (Jul 23)
- Re: ARP Spoof Question Simon Gray (Jul 23)
- RE: ARP Spoof Question Stuart (Jul 24)
- RE: ARP Spoof Question David Gillett (Jul 24)
- RE: ARP Spoof Question Stuart (Jul 24)
- RE: ARP Spoof Question David Gillett (Jul 24)
- RE: ARP Spoof Question Stuart (Jul 24)
- RE: ARP Spoof Question The Fueley (Jul 24)
- RE: ARP Spoof Question David Gillett (Jul 24)
- Re: ARP Spoof Question Martin Brecher (Jul 28)